Update allowed HTML tags in safe output sanitization

[Copilot]

The safe output sanitization now allows a broader set of HTML tags for better content formatting while removing potentially problematic tags.

Changes

• Added tags: h1-h6 (headings), hr (horizontal rule), pre (preformatted text), sub/sup (subscript/superscript), table/tbody/thead/tr/td/th (table elements)
• Removed tags: details, summary, u (underline)
• Updated: pkg/workflow/js/sanitize_content.cjs and corresponding tests
• Recompiled: All 108 workflow lock files to embed updated sanitization logic

New Allowed Tags

const allowedTags = [
  "b", "blockquote", "br", "code", "em",
  "h1", "h2", "h3", "h4", "h5", "h6",
  "hr", "i", "li", "ol", "p", "pre",
  "strong", "sub", "sup",
  "table", "tbody", "td", "th", "thead", "tr", "ul"
];

This affects all AI-generated content in GitHub issues, PRs, discussions, and comments created through agentic workflows.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login /ref/tags/v8 /tmp/go-build1085622423/b033/vet--log-format $name) { hasDiscussionsEnabled } } GOSUMDB GOWORK ease /opt/hostedtoolcache/go/1.25.0/xTest User -uns�� -unreachable=false /tmp/go-build1085622423/b082/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet *.ts' '**/*.json/tmp/gh-aw-compile-integration-3407499354/gh-aw (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login 16/create_pull_request.js /tmp/go-build1085622423/b145/vet1d801311d0541ff56a3420d194e7b50aeebfc1ea1983662cfb111c1098e632d8-1 (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login -unreachable=false /tmp/go-build1085622423/b080/vet.cfg 5bf59e80a155590f348061d57d40209313b/log.json JxoI/WrPBVIMzDvAgh run 64/pkg/tool/linulist /opt/hostedtoolc--json -ato�� pload-artifact/git/ref/tags/v5 -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Update allowed HTML tag list: b, blockquote, br, code, em, h1–h6, hr, i, li, ol, p, pre, strong, sub, sup, table, tbody, td, th, thead, tr, ul

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.